Jump to content
Welcome to our new Citrix community!

Active/Passive login question

John Rafter

Recommended Posts

Citrix access - GSLB setup across two sites, one been active the other passive. Accessing the active site URL with no issue from the outside. If one attempts to navigate to the passive site via site public IP, we get to the landing page but login fails. It even goes as far as getting past MFA but then errors "your login has expired, please log on again to continue". I guess my questions is 2 fold...should one be able to get to the passive site directly? Should one be able to login if possible or what does this depend on?

Link to comment
Share on other sites

In part it depends on the GSLB setup. Did you do the active/passive config a gslb vserver pointin got svc_a (primary) and gslb vserver 2 pointing to svc_b (backup) with gslb vserver 2 specified as the backup vserver for gslb vserver 1.  Does gslb vserver 2 have a domain name (fqdn) bound to it to it will resolve the backup fqdn to its own ip.  If its misconfigured, you could have issues.


add gslb service gslb_svc_a  <primary> ...

add gslb service gslb_svc_b <secondary> ...

add gslb vserver glsb_vsrv_primary ....

    bind gslb vserver gslb_vsrv_primary -serviceName gslb_svc_a

    bind gslb vserver gslb_vsrv_primary -domainName <primary fqdn>

add gslb vserver gslb_vsrv_secondary ...

    bind gslb vserver gslb_vsrv_secondary -serviceName gslb_svc_b

    bind gslb vserver gslb_vsrv_secondary -domainName <backup fqdn>

set gslb vserver gslb_vsrv_primary -backupvServer gslb_vsrv_secondary


Is the backup FQDN being resolved by both static dns and the ADC at the same time and in conflict?


In general:

To use both the gslb shared name on either destination (A or B) and the secondary site Name on B, then destination B would need a wildcard or a multi-san cert so it will accept either FQDN (primary or secondary).


More specifically, if you were doing something like SAML as your authentication, the IDP wouldn't expect multiple service provider "fqdns" and so it may not like the direct-acess secondary name and is only configured to expect the primary name.  So for a generic web site, it is possible to use the shared gslb name or site-specific names.  For this specific authentication scenario, it depends on what the authentication is dependent on, on whether you can switch from gslb shared name to site-specific (secondary) name or not.


  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...